SEC501: Advanced Security Essentials - Enterprise Defender Waitlist

Mon, December 14 - Sat, December 19, 2015

Nearly 100% of the material covered in SEC501 is immediately applicable to the daily role of an analyst and a risk manager alike, regardless of industry.

Terry Boedeker, FireEye

By far, this is the most interesting, informative, and immediately applicable course I've taken.

Ken Ortiz, NOAA Fisheries

Effective cybersecurity is more important than ever as attacks become stealthier, have a greater financial impact, and cause broad reputational damage. SEC501: Advanced Security Essentials - Enterprise Defender builds on a solid foundation of core policies and practices to enable security teams to defend their enterprise.

It has been said of security that "prevention is ideal, but detection is a must." However, detection without response has little value. Network security needs to be constantly improved to prevent as many attacks as possible and to swiftly detect and respond appropriately to any breach that does occur. This PREVENT - DETECT - RESPONSE strategy must be in place both externally and internally. As data become more portable and networks continue to be porous, there needs to be an increased focus on data protection. Critical information must be secured regardless of whether it resides on a server, in a robust network architecture, or on a portable device.

Of course, despite an organization's best efforts to prevent network attacks and protect its critical data, some attacks will still be successful. Therefore, organizations need to be able to detect attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks, looking for indications of an attack, and performing penetration testing and vulnerability analysis against your organization to identify problems and issues before a compromise occurs.

Finally, once an attack is detected we must react quickly and effectively and perform the forensics required. Knowledge gained by understanding how the attacker broke in can be fed back into more effective and robust preventive and detective measures, completing the security lifecycle.

Course Syllabus

SEC501.1: Defensive Network Infrastructure

Overview

Making your network secure from attack starts with designing, building, and implementing a robust network infrastructure. There are many aspects to implementing a defense-in-depth network that are often overlooked when companies focus only on functionality. Achieving the proper balance between business drivers and core information security requires that an organization build a secure network that is mission-resilient to a variety of potential attacks.

On the first course day students will learn how to design and build a secure network that can both prevent attacks and recover after a compromise. They will also learn how to retrofit an existing network to achieve the level of protection that is required. Building a network is not that complicated, but it takes special skills to integrate all of the components so the network can withstand a variety of attacks and support the organization's mission. Students will learn how to design and implement a functionality-rich, secure network and how to maintain and update it as the threat landscape evolves.

CPE/CMU Credits: 6

Topics

Introduction to network security infrastructure as the target for attacks

Impact of compromised routers and switches

Escalating privileges at Layers 2 and 3

Weaknesses in Cisco router and switch architecture

Integrating and understanding existing network devices to defend against attacks

Implementing the Cisco Gold Standard to improve security

CISecurity Levels 1 and 2 benchmarks for routers

SANS Gold Standard switch configuration

Implementing security on an existing network and rolling out new devices

Advanced Layer 2 and 3 Controls

Filtering with access control lists

DHCP, ARP snooping, and port security

Introduction to network admission control and 802.1x

SEC501.2: Packet Analysis

Overview

"Prevention is ideal, but detection is a must" is a critical motto for network security professionals. While organizations always want to prevent as many attacks as possible, some adversaries will still sneak into the network. In cases where an attack cannot be prevented, security professionals must detect the indications that the attack is in progress and stop it before significant harm is caused. Packet analysis and intrusion detection are at the core of such timely detection. Organizations need to not only detect attacks but also to react in a way that ensures those attacks can be prevented in the future.

Because of the changing landscape of attacks, detecting them is an ongoing challenge. Today's attacks are more stealthy and difficult to find than ever before. Only by understanding the core principles of traffic analysis can you become a skilled analyst able to differentiate between normal and attack traffic. New attacks are surfacing all the time, so security professionals must be able to write rules that detect the latest advanced zero-day attacks before they compromise a network.

Traffic analysis and intrusion detection used to be treated as a separate discipline within many organizations. Today, prevention, detection, and reaction must be closely knit so that once an attack is detected, defensive measures can be adapted, proactive forensics implemented, and the organization can to continue to operate.

SEC501.3: Pentest

Overview

Security is all about understanding, mitigating, and controlling the risk to an organization's critical assets. An organization must understand the changing threat landscape and have the capacity to compare it against its own vulnerabilities that could be exploited to compromise its network. While this was never an easy task, it is becoming much more difficult because threats are evolving rapidly and organizations are so complex. On day three, students will learn about the variety of tests that can be run against an organization and how to perform effective penetration testing.

Finding basic vulnerabilities is easy but not necessarily effective if these are not the vulnerabilities attackers exploit to break into a system. Advanced penetration testing involves understanding the variety of systems and applications on a network and how they can be compromised by an attacker. Students will learn about both external and internal penetration testing and the methods of black, gray, and white box testing.

Penetration testing is critical to identify an organization's exposure points, but students will also learn how to prioritize and fix these vulnerabilities to increase the organization's overall security.

CPE/CMU Credits: 6

Topics

Variety of penetration testing methods

Frequency and use of vulnerability analysis, penetration testing, and security assessment

Vulnerability analysis

How to perform vulnerability analysis

Key areas to identify and ways to fix potential problems

Key tools and techniques

Tools, techniques, and methods used in testing

Basic penetration testing

Methods and means of performing a penetration test

Focus, requirements, and outputs of a successful test

Prioritizing and remediation of issues

Advanced penetration testing

Understanding and mapping to an organization's infrastructure

Application testing and system analysis

SEC501.4: First Responder

Overview

Any organization connected to the Internet or that has employees is going to have attacks launched against it. Even with a keen focus on robust network design, preventive security, and identifying vulnerabilities through penetration testing, some attacks will still occur. In these cases, identifying, analyzing, and responding effectively to the attack is critical.

Security professionals need to understand how to perform incident response, analyze what is occurring, and restore their organization back to its normal state as soon as possible. Day four will provide students with a proven six-step process to follow in response to an attack: Prepare, Identify, Contain, Eradicate, Recover, and Learn from previous incidents. Cyber incidents are a lot like a fire-the sooner you detect them, the easier they are to contain, and the less damage they cause. Therefore prompt incident response is a key follow-on to intrusion analysis.

Another key aspect of incident response is forensic analysis and discovery. Students will learn how to perform forensic investigation and identify indications of an attack. This information will be fed into the incident response process to ensure that the attack is prevented from occurring again in the future.

CPE/CMU Credits: 6

Topics

Incident handling process and analysis

Preparing for an incident

Identifying and responding

Containing a problem to preserve mission resilience

Identifying and eradicating the problem

Recovery system data, including restoring to normal operation

Lessons learned and follow-up reporting

Forensics and incident response

Windows response skills

Windows forensics tool chest

Linux/Unix response and analysis

Linux/Unix tools and system analysis

SEC501.5: Malware

Overview

As security professionals continue to build more proactive security measures, the methods of attackers will continue to evolve. A common way for attackers to target, control, and break into as many systems as possible is through the use of malware. Students must therefore understand what type of malware is currently available to attackers, as well as future trends and methods of exploiting systems. With this knowledge, students can then learn how to analyze, defend, and detect malware on systems and minimize its impact on the organization.

CPE/CMU Credits: 6

Topics

Malware

Types of malware and corresponding behavior

Dealing with malware

Tying malware into intrusion analysis and incident response

Windows malware

Using Microsoft Windows basic built-in CLI tools

Using Microsoft Windows advanced built-in CLI tools

Using Microsoft Windows built-in GUI tools

External tools and analysis

Using external tools to fight BHO

Fighting rootkits with basic and advanced tools

Inspecting active processes

Using online resources to get help

SEC501.6: Data Loss Prevention

Overview

Cybersecurity is all about managing, controlling, and mitigating risk to your critical assets. In almost every organization, critical assets are made up of data or information. Whether it is a customer list, research plans, intellectual property, classified information, or a marketing plan, these data represent your organization's lifeline and must be properly protected. Perimeters are still important and critical, but as our networks become more porous and our data more portable, we are moving away from a fortress model and moving towards a focus on data.

Information no longer solely resides on servers where properly configured access control lists can limit access and protect our information. The same intellectual property that is protected on a server behind a strong perimeter can now be copied to laptops (i.e., portable servers) and plugged into networks (i.e., hotels, airports, and coffee shops). Those venues have no firewalls or security devices in place. This means that you must be able to protect the data no matter where it resides. A compromise of sensitive data will have an impact on your company-no matter how or where it was stolen.

Building a strong perimeter defense is a critical first step, but focusing on protecting and controlling critical data from loss is also critical to building strong preventive measures. Proactive security must be implemented to properly protect critical information and minimize its exposure.

CPE/CMU Credits: 6

Topics

Risk management

Calculating and understanding risk across an organization

Building proper risk mitigation plans

Applying proactive risk management processes

Incorporating risk management into all business processes

Understanding insider threats

Data classification

Building a data classification program

Key aspects of deploying and implementing classification of critical information

Staged roll-out of classifying new and existing information

Managing and maintaining portable data classification

Digital rights management

Understanding digital rights

Balancing digital rights with data classification

Managing access across the enterprise

Balancing functionality and security

Data loss prevention (DLP)

Identifying requirements and goals for preventing data loss

Identifying practical DLP solutions that work

Managing, evaluating, implementing, and deploying DLP

Additional Information

Testimonial

"This is the best technical training course I have ever taken. SEC501 exposed me to many valuable concepts and tools but also gave me a solid introduction to those tools so that I can continue to study and improve on my own." - Curt Smith, Hildago Medical Services

"SEC501 offers a great explanation of Net Defense best practices that often get overlooked." - Kirk G., U.S. Navy

"For an intensive and in-depth course, I found SEC501 to be extremely educational yet fun and entertaining." -Hisham Al-Muhareb, Saudi Aramco

Laptop Required

A properly configured laptop is required to participate in SEC501: Advanced Security Essentials - Enterprise Defender. Students must have Administrator privileges. Antivirus software is not recommended and may need to be disabled or uninstalled. If you have a production system already installed with data on it that you do not want to lose, it is recommended that you replace it with a clean hard drive.

Prior to the start of class, you must install the necessary software as described below. The following are minimal hardware requirements for your laptop:

You will use VMware to simultaneously run multiple virtual machines when performing hands-on exercises. You must have VMware Workstation installed on your system. If you do not own VMware, you can download a free 30-day trial copy from the VMware website. If taking advantage of the trial offer, please make sure that the license will not expire before you complete the course. You will also need WinRAR installed.

While most labs will run fine for MAC/Fusion students, this configuration has not been tested and is not supported.

Final Checklist

We suggest going over the following checklist to make sure that your laptop is prepared for SANS SEC501: Advanced Security Essentials - Enterprise Defender:

The laptop meets hardware requirements outlined in this note.

If you use a trial copy of VMware Workstation, make sure that the VMware license will not expire before the class ends.

Prerequisites

While not required, it is recommended that students take SEC401: Security Essentials or have the skills taught in that class. This includes a detailed understanding of networks, protocols, and operating systems.

What You Will Receive

In this course, you will receive the following:

MP3 audio files of the complete course lecture

You Will Be Able To

Identify network security threats against infrastructure and build defensible networks that minimize the impact of attacks

Access tools that can be used to analyze a network to prevent attacks and detect the adversary

Decode and analyze packets using various tools to identify anomalies and improve network defenses

Understand how the adversary compromises systems and how to respond to attacks

Perform penetration testing against an organization to determine vulnerabilities and points of compromise

Apply the six-step incident handling process

Use various tools to identify and remediate malware across your organization

Create a data classification program and deploy data-loss-prevention solutions at both a host and network level

Hands-on Training

The students will participate in labs that:

Analyze network configurations for routers

Perform detailed analysis of traffic using various sniffers and protocol analyzers

Identify and track attacks and anomalies in network packets

Use various tools to perform penetration testing and network discovery

Analyze both Windows and Unix systems during an incident to identify signs of a compromise

Find, identify, and clean up various types of malware

Author Statement

After I finish teaching SEC401-the precursor to the SEC501 course-it is always a thrill to see students leave with fire in their eyes and an excitement about them. They walked into class feeling overwhelmed that security is a lost cause, but now they leave class understanding what they need to do, and they have a focus and drive to do the right thing to secure their organizations.

The next question we receive on a constant basis is, what course should I take next? How do I continue my journey? Well, it depends on your focus area. Do you want to get more into perimeter protection, IDS, operating system security, etc.? The challenge is that many students work in jobs that do not allow them to focus on one area; they need to understand all of the key areas across security.

What students are telling us is that they want a Security Essentials Part 2 or a 500-level continuation of Security Essentials covering the next level of technical knowledge. With SEC501, SANS has decided to give students just what they have been asking for. I am beyond thrilled with the results: we have identified core foundation areas that complement SEC401 with no overlap and continue to build a solid security foundation for network practitioners.

After one recent class, a student ran up and gave me a big hug (he was a retired football player, so I did not argue) and said, "SANS is awesome. I have been frustrated in my job for over a year and had lost hope that you really could secure an organization and that anything I did made a difference. Just as my light of hope was burning out, I decided to take the Security Essentials course, figuring it was a lost cause. After this class the fire is burning brighter than it ever was. I feel like a kid again and cannot wait to go back to my company and make a difference. However, I think my boss is scared because I called him eight times throughout the week, telling him all of the great information and practical knowledge I learned!"

Having taught thousands of students, I am confident you will be just as excited and get similar results from SEC501. However, just for reference, hugs are optional.